4 Host Intrusion Detection System (HIDS)

This chapter describes the Host Intrusion Detection System (HIDS) security feature available to the Platform Administrator through the Linux Command Line Interface (CLI). The platcfg utility of the Operating System (OS) is used for configuring this feature.

Host Intrusion Detection System Overview

The Host Intrusion Detection System (HIDS) feature monitors a server for malicious activity by periodically examining file system changes, logs, and auditing processes. The HIDS feature monitors TPD and TVOE log files and ensures that HIDS and Syscheck processes are running.

The HIDS monitoring feature monitors the following protected log files:

• All files in /var/TKLC/log/hids
• /var/log/messages
• /var/log/secure
• /var/log/cron

The log files created are as follows:

• alarms.log – Any HIDS functionality resulting in an alarm being raised or cleared is logged in this file, for example, file tampering alarm, Syscheck process alarm, Samhain process alarm.
• admin.log – The output of any HIDS command executed resulting in a success or error is logged in this file. This file also includes logs on attempts to run commands as a non HIDS administrator.
• hids.log – Logs any other information such as state changes and when Samhain runs but finds no file tampering errors.

No other system resources such as files, processes, actions, and so on are monitored by HIDS.

HIDS alarms are standard TPD alarms with the alarmEventType set to securityServiceOrMechanismViolation. The HIDS alarms are propagated through normal COMCOL channels, resulting in SNMP traps being sent to the client's SNMP management system if configured. The active alarms can be viewed in the platcfg GUI. You can also view the active alarms on the Diameter Signaling Router (DSR) GUI by navigating to Alarms & Events > View Active.

Checking the Host Intrusion Detection System Status

This section describes the procedure to check the status of Host Intrusion Detection System (HIDS).

Perform the following steps to determine the HIDS status:

1. Log in as admusr on the server.

   login: admusr
   Password: <current admin user password>

2. Run the following command to open the platcfg menu:

   $ sudo su – platcfg

3. Select Security from the Main Menu and press Enter.

   Figure 4-1 Main Menu

   
   

   

   
   
4. Select HIDS from the menu and press Enter.

   Figure 4-2 Security Menu

   
   

   

   
   
5. To check the HIDS status, perform the following:
   1. Type the Username and Password for a user that is part of the secgrp group.

      Figure 4-3 Security User Login

      
      

      

      
      

      Note:

      By default, admusr is part of the secgrp group.
   2. Click OK and press Enter.
      The HIDS menu displays and the HIDS Monitoring State is listed on the top of the window.

      Figure 4-4 HIDS Monitoring State

      
      

      

      
      
6. Select Exit in each of the menus until a command prompt is reached.

Initializing the Host Intrusion Detection System

This section describes the procedure to initialize the Host Intrusion Detection System (HIDS).

Perform the following steps to initialize HIDS:

1. Log in as admusr on the server.

   login: admusr
   Password: <current admin user password>

2. Run the following command to open the platcfg menu:

   $ sudo su – platcfg

3. Select Security from the Main Menu and press Enter.

   Figure 4-5 Main Menu

   
   

   

   
   
4. Select HIDS from the menu and press Enter.

   Figure 4-6 Security Menu

   
   

   

   
   
5. To check the HIDS status, perform the following:
   1. Type the Username and Password for a user that is part of the secgrp group.

      Figure 4-7 Security User Login

      
      

      

      
      

      Note:

      By default, admusr is part of the secgrp group.
   2. Click OK and press Enter.
6. To initialize HIDS, perform the following:
   1. Select Initialize and press Enter.

      Figure 4-8 Initialize HIDS

      
      

      

      
      
   2. Select Yes and press Enter.
   3. After the HIDS baseline successfully initialized message displays, press any key to continue.
7. Select Exit in each of the menus until a command prompt is reached.

Enabling or Disabling Host Intrusion Detection System

This section describes the procedure to enable or disable Host Intrusion Detection System (HIDS).

The Host Intrusion Detection System (HIDS) feature must be initialized before enabling HIDS for the first time on a system.

Perform the following steps to enable or disable HIDS:

1. Log in as admusr on the server.

   login: admusr
   Password: <current admin user password>

2. Run the following command to open the platcfg menu:

   $ sudo su – platcfg

3. Select Security from the Main Menu and press Enter.

   Figure 4-9 Main Menu

   
   

   

   
   
4. Select HIDS from the menu and press Enter.

   Figure 4-10 Security Menu

   
   

   

   
   
5. To check the HIDS status, perform the following:
   1. Type the Username and Password for a user that is part of the secgrp group.

      Figure 4-11 Security User Login

      
      

      

      
      

      Note:

      By default, admusr is part of the secgrp group.
   2. Click OK and press Enter.
6. To enable or disable HIDS, perform the following:
   1. Select Enable/Disable and press Enter.

      Figure 4-12 Enable or Disable Menu

      
      

      

      
      
   2. Select either Enable or Disable option.

      Figure 4-13 Enable or Disable HIDS

      
      
      
   3. Click OK and press Enter.
   4. After the message box that indicates that DB monitoring has been enabled/disabled or a failure message displays, press any key to continue.
7. Select Exit in each of the menus until a command prompt is reached.

Suspending or Resuming Host Intrusion Detection System

This section describes the procedure to temporarily suspend or resume Host Intrusion Detection System (HIDS) monitoring on a system that has HIDS enabled.

Perform the following steps to suspend or resume HIDS:

1. Log in as admusr on the server.

   login: admusr
   Password: <current admin user password>

2. Run the following command to open the platcfg menu:

   $ sudo su – platcfg

3. Select Security from the Main Menu and press Enter.

   Figure 4-14 Main Menu

   
   

   

   
   
4. Select HIDS from the menu and press Enter.

   Figure 4-15 Security Menu

   
   

   

   
   
5. To check the HIDS status, perform the following:
   1. Type the Username and Password for a user that is part of the secgrp group.

      Figure 4-16 Security User Login

      
      

      

      
      

      Note:

      By default, admusr is part of the secgrp group.
   2. Click OK and press Enter.
6. To suspend or resume HIDS, perform the following:
   1. Select Supend/Resume and press Enter.

      Figure 4-17 Suspend or Resume in Enabled Menu

      
      

      

      
      
   2. Select either Suspend or Resume option.

      Figure 4-18 Suspend or Resume HIDS

      
   3. Click OK and press Enter.
   4. After the message box that indicates that DB monitoring has been suspended/resumed or a failure message displays, press any key to continue.
7. Select Exit in each of the menus until a command prompt is reached.

Running On-Demand HIDS Security Check

The HIDS tests run periodically. This section describes the procedure to force an immediate run of the HIDS tests by using the On-demand HIDS menu.

Perform the following steps to run on-demand HIDS tests:

1. Log in as admusr on the server.

   login: admusr
   Password: <current admin user password>

2. Run the following command to open the platcfg menu:

   $ sudo su – platcfg

3. Select Security from the Main Menu and press Enter.

   Figure 4-19 Main Menu

   
   

   

   
   
4. Select HIDS from the menu and press Enter.

   Figure 4-20 Security Menu

   
   

   

   
   
5. To check the HIDS status, perform the following:
   1. Type the Username and Password for a user that is part of the secgrp group.

      Figure 4-21 Security User Login

      
      

      

      
      

      Note:

      By default, admusr is part of the secgrp group.
   2. Click OK and press Enter.
6. To select on-demand HIDS testing, perform the following:
   1. Select On-demand and press Enter.

      Figure 4-22 On-Demand HIDS Test

      
      

      

      
      
   2. Click OK and press Enter.
   3. After the message box that indicates the successor fail result displays, press any key to continue. If an error exists, a screen similar to the following screen displays:

      Figure 4-23 HIDS On-Demand Check Results

      
      

      

      
      

      This alarm can also been seen when viewing alarms in the platcfg system. For more information, see the Host Intrusion Detection System Alarms section.

      This alarm is also propagated through normal COMCOL channels ultimately resulting in the alarm being accessible on the Diameter Signaling Router (DSR) GUI by navigating to Alarm & Events > View Active, as shown in Step 8.

7. Select Exit in each of the menus until a command prompt is reached.
8. This is an optional step. To view HIDS error, Log into the DSR GUI and navigate to Alarms & Events > View Active.
   Examples of screens from the current error are as follows:

   Figure 4-24 Alarms and Events Menu

   
   
   

   Figure 4-25 View Report

   
   

   

   
   

Updating Host Intrusion Detection System Baseline

This section describes the procedure to update the checksums on all files or specific files in the HIDS baseline, which can clear HIDS alarms associated with the updated files.

Perform the following steps to update the checksums on all files or specific files in the HIDS baseline:

1. Log in as admusr on the server.

   login: admusr
   Password: <current admin user password>

2. Run the following command to open the platcfg menu:

   $ sudo su – platcfg

3. Select Security from the Main Menu and press Enter.

   Figure 4-26 Main Menu

   
   

   

   
   
4. Select HIDS from the menu and press Enter.

   Figure 4-27 Security Menu

   
   

   

   
   
5. To check the HIDS status, perform the following:
   1. Type the Username and Password for a user that is part of the secgrp group.

      Figure 4-28 Security User Login

      
      

      

      
      

      Note:

      By default, admusr is part of the secgrp group.
   2. Click OK and press Enter.
6. To update HIDS, perform the following:
   1. Select Update and press Enter.

      Figure 4-29 Update HIDS

      
      

      

      
      
   2. Select the file’s baseline to update.

      Figure 4-30 Update File's Baseline

      
      
      
   3. Click OK and press Enter.
   4. After the message box that indicates the success or fail result displays, press any key to continue.
7. Select Exit in each of the menus until a command prompt is reached.

Deleting Host Intrusion Detection System

This section describes the procedure to permanently disable HIDS or to back out from a product upgrade by using the HIDS Delete menu.

Perform the following steps to delete HIDS:

1. Log in as admusr on the server.

   login: admusr
   Password: <current admin user password>

2. Run the following command to open the platcfg menu:

   $ sudo su – platcfg

3. Select Security from the Main Menu and press Enter.

   Figure 4-31 Main Menu

   
   

   

   
   
4. Select HIDS from the menu and press Enter.

   Figure 4-32 Security Menu

   
   

   

   
   
5. To check the HIDS status, perform the following:
   1. Type the Username and Password for a user that is part of the secgrp group.

      Figure 4-33 Security User Login

      
      

      

      
      

      Note:

      By default, admusr is part of the secgrp group.
   2. Click OK and press Enter.
6. To delete HIDS, perform the following:
   1. Select Delete and press Enter.

      Figure 4-34 Delete HIDS

      
      

      

      
      
   2. Select the file’s baseline to update.

      Figure 4-35 Update File's Baseline

      
      
      
   3. Click OK and press Enter.
   4. After the message box that indicates the success or fail result displays, press any key to continue.
7. Select Exit in each of the menus until a command prompt is reached.

Host Intrusion Detection System Alarms

This section describes the overview and procedure to view HIDS Alarms.

The HIDS alarms are standard TPD alarms with the alarmEventType set to securityServiceOrMechanismViolation.

The HIDS alarms are propagated through normal COMCOL channels that result in SNMP traps being sent to the client's SNMP management system if configured.

The multiple ways to view the alarms are as follows:

• You can view the current, previously cleared, and how alarms were cleared in the /var/TKLC/logs/hids/alarms.log file.
• You can view active alarms on the DSR GUI by navigating to Main Menu > Alarms & Events > View Active.
• You can view active alarms on the platcfg GUI, including HIDS alarms, by performing the following steps:

1. Log in as admusr on the server.

   login: admusr
   Password: <current admin user password>

2. Run the following command to open the platcfg menu:

   $ sudo su – platcfg

3. Select Diagnostics from the Main Menu and press Enter.

   Figure 4-36 Diagnostics on Main Menu

   
   

   

   
   
4. Select Alarm Manager from the menu and press Enter.

   Figure 4-37 Alarm Manager

   
   
   
5. To view the alarm status, perform the following:
   1. Select Show Alarm Status from the menu and press Enter.

      Figure 4-38 Alarm Status

      
      

      

      
      
   2. After the message box that indicates the success or fail result displays, press any key to continue. If an error exists, a screen similar to the following screen displays:

      Figure 4-39 Alarm

      
      

      

      
      
6. Select Exit in each of the menus until a command prompt is reached.